3.4. Storing Encrypted Passwords

Storing user passwords in the database as clear text is a security risk, because anybody who had access to your database would instantly be able to steal any user's login. And although that's not necessarily a big deal on this little recipe site, in general allowing people's passwords to leak is A Bad Thing. Among the many advantages of encrypting passwords in the database is that not even you can get to the password data, which is a nice thing to be able to say to your users.

If you aren't familiar with encryption and passwords, then the inclusion of a user data attribute called salt probably raised an eyebrow. I know that this is a recipe site but actually including salt in the user database seems a bit ... literal.

You are going to use one of Rails built-in cryptographic modules to create a hash from the user password. Although the hash uniquely matches one specific password, it's computationally impossible (or at least computationally infeasible) to recreate the original password. By saving the hash instead of the password, you can still use the hash to validate against the original password, but a malicious miscreant who got a hold of the hash would not be able to recreate the password to perform a fake login.

Salt is a cryptographic term for a random or semi-random sequence that is input to a cryptographic algorithm along with the message to be encrypted. In this case, each user will have his or her own unique salt sequence, and you will ...

Get Professional Ruby on Rails™ now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.